Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 167287 - Kerberos authentication cannot be used with FreeRADIUS due to SELinux
Kerberos authentication cannot be used with FreeRADIUS due to SELinux
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-01 07:29 EDT by Joachim Selke
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-21 22:16:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joachim Selke 2005-09-01 07:29:17 EDT
Description of problem:
To use Kerberos authentication with FreeRADIUS the FreeRADIUS module krb5 can be
used (in /etc/raddb/radiusd.conf). This module needs access to /etc/krb5.conf
which is denied by SELinux.

All files have been relabeled before, so every security context should be
correct (selinux-policy-targeted.noarch-1.25.4-10).

When starting FreeRADIUS there are the following messages in
/var/log/audit/audit.log:

type=AVC msg=audit(1125573605.065:755): avc:  denied  { getattr } for  pid=11155
comm="radiusd" name="krb5.conf" dev=sda3 ino=328743
scontext=root:system_r:radiusd_t tcontext=system_u:object_r:krb5_conf_t tclass=file
type=SYSCALL msg=audit(1125573605.065:755): arch=c000003e syscall=4 success=no
exit=-13 a0=55555577f0f8 a1=7fffffc92cd0 a2=7fffffc92cd0 a3=2aaaabb26000 items=1
pid=11155 auid=0 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95
comm="radiusd" exe="/usr/sbin/radiusd"
type=AVC_PATH msg=audit(1125573605.065:755):  path="/etc/krb5.conf"
type=CWD msg=audit(1125573605.065:755):  cwd="/"
type=PATH msg=audit(1125573605.065:755): item=0 name="/etc/krb5.conf" flags=1 
inode=328743 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1125573605.065:756): avc:  denied  { getattr } for  pid=11155
comm="radiusd" name="krb5.conf" dev=sda3 ino=328743
scontext=root:system_r:radiusd_t tcontext=system_u:object_r:krb5_conf_t tclass=file
type=SYSCALL msg=audit(1125573605.065:756): arch=c000003e syscall=4 success=no
exit=-13 a0=55555577f0f8 a1=7fffffc92cd0 a2=7fffffc92cd0 a3=4 items=1 pid=11155
auid=0 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95
comm="radiusd" exe="/usr/sbin/radiusd"
type=AVC_PATH msg=audit(1125573605.065:756):  path="/etc/krb5.conf"
type=CWD msg=audit(1125573605.065:756):  cwd="/"
type=PATH msg=audit(1125573605.065:756): item=0 name="/etc/krb5.conf" flags=1 
inode=328743 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):
freeradius.x86_64-1.0.4-1.FC4.1


How reproducible:
Every time.


Steps to Reproduce:
1. service radiusd start

  
Actual results:
start of service succeeds, but the krb5 module is not working


Expected results:
krb5 module is working, because it has access to the Kerberos configuration in
/etc/krb5.conf
Comment 1 Daniel Walsh 2005-11-03 14:06:33 EST
Fixed in selinux-policy-targeted.noarch-1.25.4-13
Comment 2 Joachim Selke 2005-11-05 13:31:44 EST
I use selinux-policy-targeted-1.27.1-2.11 and the problem (exactly as mentioned
above) is still there. A reboot (with autorelabel) does not change this.
Comment 3 Joachim Selke 2005-11-28 15:19:35 EST
The bug is fixed in selinux-policy-targeted-1.27.1-2.14. Thanks.
Comment 4 Bill Nottingham 2006-09-21 22:16:47 EDT
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.

Note You need to log in before you can comment on or make changes to this bug.